Black Friday and Cyber Monday (BFCM) mark the beginning of the busiest time of year for consumers, retailers and… cyber-criminals. With online traffic and transactions hitting their peaks fraud attempts will increase, as fraudsters feast on the opportunity. Knowing that retailers are especially busy cyber-criminals are often able to sneak more fraudulent orders in under the radar and cause significant damage to an online store.
Who better to discuss how ecommerce business owners can protect their Shopify store this BFCM than the industry leader in fraud prevention, Signifyd. Here, we catch up with the Senior Client Services Manager at Signifyd, Kimberly So, to find out more…
For a new merchant who might not know – what does a fraudulent order look like?
From a fraudster’s perspective, the best fraudulent order looks just like a legitimate order. But actually, there are some red flags that merchants can look for. The best approach for merchants who choose to review orders on their own is to understand the story around the order based on the many signals that come with any transaction.
Start with whether you’ve seen this customer before. If the customer has purchased from you before without a problem, you’re probably looking at a good order. Even with a known customer, though, keep an eye out for anomalies.
Are the customer’s transactions suddenly reflecting much higher order values? Is the customer purchasing items that seem out of the ordinary? Are you seeing new email or delivery addresses? If so, the customer’s account might have been compromised. And of course, if you’re reviewing an order from a known customer and either the card being used, or the device, or the IP address, or delivery or billing address is connected to a previous fraudulent order, you’re going to want to decline that order. But maybe you haven’t seen the customer before. So, what do you look for?
Have you seen the device being used before? Does it appear that the same individual is using the device? Or is a different credit card involved? A different delivery address?
Do the billing address and delivery address match? If they don’t, that could be a troubling sign. But maybe not. Could the customer be shipping the product to a friend or relative, or the office or a holiday home or a new home she or he has yet to move into?
What about the IP address? Is the device location near the billing address? What about the delivery address? Does the device location make sense in relation to the other physical addresses?
What about the email address? Is it brand new? Is the email address itself an odd jumble of letters and numbers? Legitimate customers tend to have aged email addresses that appear to have some personal relevance.
Is the customer buying more than one of the same thing — a batch of iPhones, a batch of laptops, a dozen shirts?
Are a number of different customers shipping items to the same address? Maybe it’s a big family. Maybe it’s a fraud ring.
Is the delivery address a residence? Or are items being shipped to a warehouse, maybe a reshipping company?
The thing to remember, though, is that the red flags are just that — warning signs. Plenty of legitimate orders come with anomalies for which there are reasonable explanations. In your zest to identify fraudulent orders, you don’t want to become overzealous and turn away good orders. It’s a lot to keep track of. That’s why many successful retailers turn to automated systems to offload some, or all, of the work of fraud prevention and protection.
How rapidly can a threat be detected during BFCM and what should a merchant do if their online store has been compromised?
So, the speed with which a fraud threat can be detected depends on the sophistication of the fraud and the bandwidth of those in the retail enterprise to monitor orders for fraud. Unfortunately, the most sophisticated fraud attacks can go undetected for some time if a merchant is relying primarily on humans to manually review orders. That’s especially true during Cyber Week. For most retailers, the number of online orders spikes dramatically from Black Friday through Cyber Monday — and for weeks beyond, frankly. Fraudsters take advantage by hiding in the noise of the big increase in order volume.
Sometimes the fraud vector isn’t discovered until long after the bad orders have been shipped and the retailer begins to receive chargebacks from innocent consumers whose credit cards were used to commit fraud. Again, that’s why retailers often rely on automated systems and machine learning to protect themselves from fraud before an order is shipped.
Fraud tools that combine big data and artificial intelligence recognize fraudulent orders based on past experience with millions of other orders. Machine-learning insights allow the retailer to automatically decline the order or pull it out for review, rather than ship it out and take the loss.
The alternative is to have teams of manual reviewers screen orders for the sorts of red flags I mentioned earlier. That can be a big job any time of year. During the holiday shopping season, it’s a serious challenge that often requires a retailer to bring on temporary holiday help to keep up with the volume of orders.
Those fraud teams have an opportunity to discover the fraud before an order has been shipped, as long as they recognize an order as fraudulent based either on fraud activity they’ve seen before or because they believe the red flags indicate fraud.
What impact does an attack have on an ecommerce store?
The impact, as you might guess, is not good. There is the obvious damage, of course. The ecommerce store loses the revenue it would have realized from the sale. And they’re out the inventory that they would have sold. During the holiday season, the loss of inventory can be even more painful than during the rest of the year.
If a fraud ring makes off with a hot gift item — or with many of the hot gift item — the retailer loses the opportunity to sell that product. Will it have the same appeal in January or whenever the merchant is able to replenish the stock? Who knows?
Beyond the immediate financial loss, fraud attacks can do reputational damage. The merchant becomes a mark, as fraudsters pass the word that the particular merchant is an easy target. So fraud attacks beget more fraud attacks. And if a merchant’s chargeback rate increases too dramatically due to fraud, it might find itself in one of the card companies’ monitoring programs. Monitoring can lead card companies to increase processing fees and it will lead to a need for the merchant to demonstrate that it can bring its chargeback rate back down.
The fraud pressure can also lead some merchants to become hypervigilant to the point that they are declining legitimate orders from good customers. When that happens, the retailer loses the immediate sale and potentially loses a good customer for life.
Is there a difference in fraudulent orders based on the device used e.g. Mobile Vs Desktop?
Mobile has definitely been a bigger concern among retailers when it comes to online fraud, simply because mobile traffic and conversions have grown dramatically in recent years. Mobile is how we live our daily lives. The channel allows added convenience for consumers and some added opportunities for fraudsters. Mobile purchases can be made through apps or mobile web. Retailers are primarily focused on making the buying experience as frictionless as possible, given the difficulty of filling out forms on mobile devices.
Mobile devices can be spoofed relatively easily. How many times have you got a call on your mobile that looks like it’s from your local area — maybe even with a prefix that’s the same as your family plan — only to find it’s a spam call?
Fraudsters can make a mobile phone to look like it has a different number, different geolocation. They can even make it appear as though the order is being made on a laptop, which might cause fraud reviewers to drop their guard. Fraudsters have also become skilled at breaching mobile wallets and using the payment methods and funds available there to make mobile purchases.
The good news is that mobile devices do open up a few more signals that can help verify an order. The very signals that fraudsters try to exploit — mobile wallet and payment method tokenization, geolocation information, device ID etc. — can be used to assess the order. And while fraudsters work to manipulate those signals, sophisticated fraud protection solutions, relying on thousands of signals, can see through the ruse and even use the manipulation as evidence that fraud is in play.
A quarter of UK consumers who have shopped during BFCM say they have experienced attempts at fraud. So how can online retailers prepare their customers for an influx in fraud activity?
We surveyed consumers in January and asked them about this very thing. In our poll, conducted by Upwave, 55% of consumers said they’d experienced fraudulent charges on their credit accounts. So, it’s obviously a serious problem.
Retailers can play a role in helping consumers avoid being victimized by fraudsters. Merchants should encourage customers to practice good password hygiene. In an earlier survey, 54% of consumers told us they use the same user name and password combination across multiple sites.
A gentle reminder from retailers that consumers should use strong passwords, and different passwords, on their various accounts, would go a long way to keeping customers’ credit accounts and personally identifiable information secure.
Nudging customers to be vigilant when it comes to their credit accounts would help, too. Sometimes consumers don’t realise that they’ve been a victim of fraud until they are victimised repeatedly and something catches their eye on a credit card statement. It’s best to keep up on those charges, perhaps reviewing them online in the middle of the month before a statement arrives in the mail or by email.
Retailers might want to go so far as creating a security hub on their websites complete with tips. It’s one way to build a relationship with customers, to show you value them and that you expect to be engaged with each other for a long time to come.
Given COVID-19 concerns this BFCM, more retailers are considering launching or increasing their click-and-collect efforts — including adding click-to-cart. Do such options change the face of fraud?
It turns out consumers are also thinking a lot about click-and-collect. More than 77% of UK consumers told us that they would either not shop in stores this holiday season or that they would limit their store visits as much as possible. Many of those shoppers are turning to ecommerce and 39% of those surveyed said they intended to use click-and-collect more this year than they did last holiday season.
Click-and-collect does come with some risk management challenges. The orders need to be fulfilled quickly. Consumers expect to be able to pick up their orders within hours. The orders also come without a delivery address, which means fraud teams are working without a key piece of data for verifying a customer’s identity.
Besides making sure that retailers have excellent inventory insights and a dedicated area for customers to collect orders, we recommend that retailers take specific steps to reduce fraud risk.
Store associates should be trained specifically for click-and-collect. You might want a dedicated team for the holiday shopping season, depending on what kind of increase in click-and-collect orders you see. Requiring specific identification from customers or a specific PIN for locker pickup is a best practice.
Again, retailers might want to consider an automated fraud protection solution. Machine-learning-based systems can easily scale up as orders increase and their ability to instantly identify legitimate and fraudulent orders means packages will be ready for collection when customers arrive.
Can you give an example of a brand who smashed BFCM in previous years and why?
The truth is, most of our customers smash it during Cyber Week. It’s showtime for retailers and for many, the fourth quarter is the difference between a profitable year and an unprofitable one. One standout is Natural Baby Shower. The retailer shipped three times as many orders during Cyber Week than it does in a typical month. The key to their Cyber Week success? It was the work they had done all year to build genuine relationships with customers.
Natural Baby Shower, which sells mostly online, tends to connect with customers at a crucial time in their lives. Many of the merchant’s customers are soon-to-be parents, looking for prams and cribs and baby clothes. But they are also looking for information and reassurance and commiseration. This retailer provided it in spades — through social media and blog posts and even physical events, pre-COVID, that featured parenting classes and lectures. And, if I could brag a little, they made sure their IT stack was ready for a big spike in holiday orders, including by relying on Signifyd. The order automation that Signifyd provided meant the retailer could scale up orders infinitely and that its customer service team could focus on providing the kind of great customer experience they were known for and not have to worry about reviewing troublesome looking orders.
Head over to our YouTube channel if you want a summary of everything that has been discussed in this blog and others from the BFCM blog series.
Additionally, if you want to find out more about how you can protect your ecommerce business from fraudsters this BFCM or simply more about Signifyd, then get in touch with our team of retail experts today.
Signifyd provides an end-to-end Commerce Protection Platform that leverages its Commerce Network to maximise conversion, automate customer experience and eliminate fraud and customer abuse for retailers. Signifyd counts among its customers a number of companies on the Fortune 1000 and Internet Retailer Top 500 lists. Signifyd is headquartered in San Jose, CA., with locations in Denver, New York, Belfast and London.